cbcvebase.
CVE-2016-20016
published 2022-10-19

CVE-2016-20016: MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.29%
99.7th percentile
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.

Affected

1 ranges
VendorProductVersion rangeFixed in
mvpowertv-7104he_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/shell
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MVPower CCTV DVR /shell JAWS Webserver Unauthenticated Remote Command Execution (CVE-2016-20016)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/shell|3f|"; fast_pattern; startswith; pcre:"/^.*?(?:[\x3b\x7c\x24\x60]|\x2d{1,2}\w+(?:\x20|\x2520))/R"; reference:url,www.pentestpartners.com/security-blog/pwning-cctv-cameras/; reference:cve,2016-20016; classtype:web-application-attack; sid:2030092; rev:4; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, former_category MALWARE, confidence Medium, signature_severity Major, updated_at 2025_04_07; target:dest_ip;)
  • The vulnerable endpoint is /shell — any GET request to this URI path on the target device indicates exploitation attempt. The query string carries the OS command to execute.
  • The HTTP response 'Server' header value 'JAWS' is a reliable fingerprint for identifying vulnerable MVPower DVR devices and exploitation traffic.
  • Detection should focus on GET requests to URIs beginning with /shell? (URL-encoded as /shell|3f|) containing shell metacharacters: semicolon (0x3b), pipe (0x7c), dollar sign (0x24), backtick (0x60), or double-dash prefixed words (CLI flags), which indicate command injection payloads.
  • The vulnerability requires no authentication — any unauthenticated GET to /shell from external networks should be treated as a high-confidence attack attempt.
  • ·Multiple firmware versions spanning 2014–2019 are affected, not just the tested version 1.8.4 115215B9. Detection rules should not be scoped to a single firmware version.
  • ·The Metasploit module was only confirmed tested on TV-7104HE firmware 1.8.4 115215B9; TV-7108HE is reportedly affected but untested, so behavioral coverage may vary.
  • ·The Snort/Suricata rule (sid:2030092) carries only 'Medium' confidence metadata, meaning false positives are possible; tune accordingly in high-traffic environments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.